OWASP

Last updated
OWASP
Founded2001 [1]
FounderMark Curphey [1]
Type 501(c)(3) nonprofit organization
FocusWeb security, application security, vulnerability assessment
MethodIndustry standards, conferences, workshops
Avi Douglen, Chair; Matt Tesauro, Vice-Chair; Bil Corry, Treasurer; Ricardo Griffith, Secretary; Kevin Johnson, Member-at-Large; Sam Stepanyan, Member-at-Large; Steve Springett, Member-at-Large [2]
Key people
Andrew van der Stock, Executive Director; Kelly Santalucia, Director of Events and Corporate Support; Harold Blankenship, Director of Technology and Projects; Jason C. McDonald, Director of Community Development; Dawn Aitken, Operations Manager; Lauren Thomas, Event Coordinator [3]
Revenue (2017)
Decrease2.svg $2.3 million [4]
Employees
0 (2020) [5]
Volunteers
approx. 13,000 (2017) [6]
Website owasp.org

The Open Worldwide Application Security Project [7] (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system software and web application security. [8] [9] [10] The OWASP provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2021 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations.

Contents

History

Mark Curphey started OWASP on September 9, 2001. [1] Jeff Williams served as the volunteer Chair of OWASP from late 2003 until September 2011. As of 2015, Matt Konda chaired the Board. [11]

The OWASP Foundation, a 501(c)(3) non-profit organization in the US established in 2004, supports the OWASP infrastructure and projects. Since 2011, OWASP is also registered as a non-profit organization in Belgium under the name of OWASP Europe VZW. [12]

In February 2023, it was reported by Bil Corry, a OWASP Foundation Global Board of Directors officer, [13] on Twitter [7] that the board had voted for renaming from the Open Web Application Security Project to its current name, replacing Web with Worldwide.

Publications and resources

Awards

The OWASP organization received the 2014 Haymarket Media Group SC Magazine Editor's Choice award. [9] [30]

See also

Related Research Articles

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. During the second half of 2007, XSSed documented 11,253 site-specific cross-site vulnerabilities, compared to 2,134 "traditional" vulnerabilities documented by Symantec. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

<span class="mw-page-title-main">SQL injection</span> Computer hacking technique

In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

Web development is the work involved in developing a website for the Internet or an intranet. Web development can range from developing a simple single static page of plain text to complex web applications, electronic businesses, and social network services. A more comprehensive list of tasks to which Web development commonly refers, may include Web engineering, Web design, Web content development, client liaison, client-side/server-side scripting, Web server and network security configuration, and e-commerce development.

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface. Constructs in programming languages that are difficult to use properly can also manifest large numbers of vulnerabilities.

A penetration test, colloquially known as a pentest or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is performed to identify weaknesses, including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed.

<span class="mw-page-title-main">F5, Inc.</span> U.S. information technology company

F5, Inc. is an American technology company specializing in application security, multi-cloud management, online fraud prevention, application delivery networking (ADN), application availability & performance, network security, and access & authorization.

Application security includes all tasks that introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance.

<span class="mw-page-title-main">Metasploit</span> Computer security testing tool

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7.

Security testing is a process intended to detect flaws in the security mechanisms of an information system and as such help enable it to protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing the security testing process is not an indication that no flaws exist or that the system adequately satisfies the security requirements.

ModSecurity, sometimes called Modsec, is an open-source web application firewall (WAF). Originally designed as a module for the Apache HTTP Server, it has evolved to provide an array of Hypertext Transfer Protocol request and response filtering capabilities along with other security features across a number of different platforms including Apache HTTP Server, Microsoft IIS and Nginx. It is free software released under the Apache license 2.0.

API testing is a type of software testing that involves testing application programming interfaces (APIs) directly and as part of integration testing to determine if they meet expectations for functionality, reliability, performance, and security. Since APIs lack a GUI, API testing is performed at the message layer. API testing is now considered critical for automating testing because APIs now serve as the primary interface to application logic and because GUI tests are difficult to maintain with the short release cycles and frequent changes commonly used with Agile software development and DevOps.

Veracode is an application security company based in Burlington, Massachusetts. Founded in 2006, it provides SaaS application security that integrates application analysis into development pipelines.

DevOps is a methodology in the software development and IT industry. Used as a set of practices and tools, DevOps integrates and automates the work of software development (Dev) and IT operations (Ops) as a means for improving and shortening the systems development life cycle.

In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application.

<span class="mw-page-title-main">Kali Linux</span> Debian-based Linux distribution for penetration testing

Kali Linux is a Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security.The software is based on the Debian Testing branch: most packages Kali uses are imported from the Debian repositories.

A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application's known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration. They can introduce a performance degradation without proper configuration and tuning from Cyber Security specialist. However, most of the major financial institutions utilize WAFs to help in the mitigation of web application 'zero-day' vulnerabilities, as well as hard to patch bugs or weaknesses through custom attack signature strings.

Approov (formerly CriticalBlue) is a Scottish software company based in Edinburgh that is primarily active in two areas of technology: anti-botnet and automated threat prevention for mobile businesses, and software optimization tools and services for Android and Linux platforms.

ZAP, formerly known as OWASP ZAP, is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.

Milton Smith is an American computer security application developer, researcher, and writer. Smith is best known for his role leading Java platform security at Oracle during a period of high-profile security incidents in the fall of 2012. Due to the climate around Java security, in 2013 Smith was invited to present by Black Hat leadership in a closed session under Non-Disclosure Agreement to top industry leaders. In the same year Smith established the first ever full security track at a software developers conference, JavaOne, Oracle's premier conference for Java software developers in San Francisco, California(USA).

Code Dx, Inc. was an American software technology company active from 2015 to 2021. The company's flagship product, Code Dx, is a vulnerability management system that combines and correlates the results generated by a wide variety of static and dynamic testing tools. In 2021, the company was acquired by Synopsys.

References

  1. 1 2 3 4 Huseby, Sverre (2004). Innocent Code: A Security Wake-Up Call for Web Programmers . Wiley. p.  203. ISBN   0470857447.
  2. "OWASP Foundation Global Board". OWASP. February 14, 2023. Retrieved March 20, 2023.
  3. "OWASP Foundation Staff". OWASP. February 12, 2023. Retrieved May 3, 2022.
  4. "OWASP FOUNDATION INC". Nonprofit Explorer. ProPublica. May 9, 2013. Retrieved January 8, 2020.
  5. "OWASP Foundation's Form 990 for fiscal year ending Dec. 2020". October 29, 2021. Retrieved January 18, 2023 via ProPublica Nonprofit Explorer.
  6. "OWASP Foundation's Form 990 for fiscal year ending Dec. 2017". October 26, 2018. Retrieved January 8, 2020 via ProPublica Nonprofit Explorer.
  7. 1 2 "Web" to "Worldwide" Bil Corry on Twitter
  8. "OWASP top 10 vulnerabilities". developerWorks. IBM. April 20, 2015. Retrieved November 28, 2015.
  9. 1 2 "SC Magazine Awards 2014" (PDF). Media.scmagazine.com. Archived from the original (PDF) on September 22, 2014. Retrieved November 3, 2014.
  10. "OWASP Internet of Things" . Retrieved December 26, 2023.
  11. Board Archived September 16, 2017, at the Wayback Machine . OWASP. Retrieved on 2015-02-27.
  12. OWASP Europe, OWASP, 2016.
  13. Global Board
  14. OWASP Top Ten Project on owasp.org
  15. Trevathan, Matt (October 1, 2015). "Seven Best Practices for Internet of Things". Database and Network Journal. Archived from the original on November 28, 2015.
  16. Crosman, Penny (July 24, 2015). "Leaky Bank Websites Let Clickjacking, Other Threats Seep In". American Banker. Archived from the original on November 28, 2015.
  17. Pauli, Darren (December 4, 2015). "Infosec bods rate app languages; find Java 'king', put PHP in bin". The Register. Retrieved December 4, 2015.
  18. "Payment Card Industry (PCI) Data Security Standard" (PDF). PCI Security Standards Council. November 2013. p. 55. Retrieved December 3, 2015.
  19. "Open Web Application Security Project Top 10 (OWASP Top 10)". Knowledge Database. Synopsys. Synopsys, Inc. 2017. Retrieved July 20, 2017. Many entities including the PCI Security Standards Council, National Institute of Standards and Technology (NIST), and the Federal Trade Commission (FTC) regularly reference the OWASP Top 10 as an integral guide for mitigating Web application vulnerabilities and meeting compliance initiatives.
  20. "What is OWASP SAMM?". OWASP SAMM. Retrieved November 6, 2022.
  21. Pauli, Darren (September 18, 2014). "Comprehensive guide to obliterating web apps published". The Register. Retrieved November 28, 2015.
  22. Baar, Hans; Smulters, Andre; Hintzbergen, Juls; Hintzbergen, Kees (2015). Foundations of Information Security Based on ISO27001 and ISO27002 (3 ed.). Van Haren. p. 144. ISBN   9789401800129.
  23. "Category:OWASP XML Security Gateway Evaluation Criteria Project Latest". Owasp.org. Archived from the original on November 3, 2014. Retrieved November 3, 2014.
  24. "OWASP Incident Response Project - OWASP". Archived from the original on April 6, 2019. Retrieved December 12, 2015.
  25. "OWASP AppSec Pipeline". Open Web Application Security Project (OWASP). Archived from the original on January 18, 2020. Retrieved February 26, 2017.
  26. "AUTOMATED THREATS to Web applications" (PDF). OWASP. July 2015.
  27. The list of automated threat events
  28. Mehta, Janki (May 8, 2023). "Mitigating OWASP Top 10 Vulnerabilities in 2023". EncryptedFence by Certera - A Complete Web Security Blog. Retrieved June 7, 2023.
  29. "OWASP API Security Project - OWASP Foundation". OWASP.
  30. "Winners | SC Magazine Awards". Awards.scmagazine.com. Archived from the original on August 20, 2014. Retrieved July 17, 2014. Editor's Choice [...] Winner: OWASP Foundation
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.